AWS introduces centralized security controls to help companies implement MFA
- AWS introduces central management tools for AWS organizations
- The tool allows security teams to manage root user access
- Root sessions are also introduced for short-term root access
AWS Identity and Access Management helps enterprises drive multi-factor authentication (MFA) adoption and organizational security by introducing a centrally managed security feature.
The tool helps organizations and security teams manage root credentials and root sessions across AWS organizations.
AWS hopes the tool will help reduce the risk of lateral movement and escalation of privileges in the event of a cyberattack, while also making day-to-day security easier and more scalable.
Improving MFA and account security
AWS has recently taken several steps to improve account security, initially introducing MFA for root users of administrative accounts, before launching FIDO2 access key support, resulting in a 100% increase in MFA adoption for users of AWS organizations with over 750,000 AWS root users phishing-proof authentication method.
Security teams can now also remove long-term root credentials to prevent them from being exploited, and prevent them from being restored and used maliciously.
“This will improve our customers’ security posture while reducing their operational efforts,” the blog post said.
The centralized management tool also allows security teams to create accounts without root credentials, making them secure by default and requiring no additional security measures. The tool also helps with compliance-related issues by allowing security teams to closely monitor and remove root credentials for the long term.
As an additional preventive measure against root credential abuse, AWS is also introducing “root sessions” that provide short-term access for specific tasks and actions, relying on the principle of least privilege to minimize the possibility of malicious use.
Root sessions will also reduce the burden on security teams by helping them adhere to AWS best practices and perform privileged root actions from one central dashboard, rather than manually logging into each user account.
Central root account management is available through the IAM console, AWS CLI, or AWS SDK, with additional details for obtaining root credentials on the AWS blog.